Details

The Red Hat Security Response Team has rated this update as havingImportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

The mod_wsgi adapter is an Apache module that provides a WSGI-compliantinterface for hosting Python-based web applications within Apache.

It was found that mod_wsgi did not properly drop privileges if the call tosetuid() failed. If mod_wsgi was set up to allow unprivileged users to runWSGI applications, a local user able to run a WSGI application couldpossibly use this flaw to escalate their privileges on the system.(CVE-2014-0240)

Note: mod_wsgi is not intended to provide privilege separation for WSGIapplications. Systems relying on mod_wsgi to limit or sandbox theprivileges of mod_wsgi applications should migrate to a different solutionwith proper privilege separation.

It was discovered that mod_wsgi could leak memory of a hosted webapplication via the "Content-Type" header. A remote attacker could possiblyuse this flaw to disclose limited portions of the web application's memory.(CVE-2014-0242)

Red Hat would like to thank Graham Dumpleton for reporting these issues.Upstream acknowledges Róbert Kisteleki as the original reporter ofCVE-2014-0240, and Buck Golemon as the original reporter of CVE-2014-0242.

All mod_wsgi users are advised to upgrade to this updated package, whichcontains backported patches to correct these issues.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.